Signing AppImages

AppImages can be digitally signed by the person that has produced the AppImage. This ensures that the AppImage comes from the person who pretends to be the author, and ensures that the file has not been tampered with.

The AppImages specification allows the AppImage file to carry a digital signature built into the AppImages. This means that the signature does not need to be an external file, but can be carried inside the AppImage itself, similar to how signatures work for traditional Linux packages (such as .deb or .rpm files).

Embedding a signature inside an AppImage

While it would be possible to embed signatures manually, the easiest way to produce a digitally signed AppImage is to use the appimagetool command line tool. The internally uses gpg or gpg2 if it is installed and configured on the system.

Especially, a key for signing must be prepared before AppImages can be signed. If the machine on which the AppImage is being generated does not have a valid signing key yet, a new one can be generated using

$ gpg2 --full-gen-key

Please refer to the gpg or gpg2 documentation for additional information. You should take additional care to backup your private and public keys in a secure location.

Once you’re signing keys have been set up, you can sign AppImages at AppImage creation time using

$ ./appimagetool-x86_64.AppImage some.AppDir --sign

This will sign the AppImage with gpg[2] and will put the signature into the AppImage.

Reading the signature

You can display the digital signature that is embedded in AppImage by running the AppImage with the --appimage-signature option like this:

$ ./XChat_IRC-x86_64.AppImage --appimage-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABCAAGBQJX6CN9AAoJENBdKWeGw9/dsvoH/RgEggMiNTwgyA4io2Dyy1j1
6U3CQST9HVmh9PjeFKZCgFCZbHvpFz9mzhLTPlOAbczBnSmmbgqROINaLW+1tqEx
stOy67D3Z1cySzRTOhSkjiUOP5unmZL6QTNPxRHmuRkyihv7YfAlkrogXQlYbZ1h
Ilt6jU1b97GSPox/EE3Z002iZGJYQ3FfjAlp9o947goY5koA5KYqyzTCvEjhTk/L
wz1mFcjEkzHt9CaHZfrZCE3QVSBTq071wzsHCFHaJswPhA6iI0psCnFY56PPResi
uljTQr3nOBaqNyUgU3y4Tbd+36cwggSaTpGAzlhgNoalIwB1ltFSdPeRPe4Q3Qc=
=MR0w
-----END PGP SIGNATURE-----

Note

Please note that while this displays the signature, it does not validate the signature. In other words, this does not tell you whether the signature is valid or not, or whether the file has been tampered with or not. To validate the signature, an external tool (which is not part of AppImage that needs to be validated) needs to be used.

Validating the signature

To validate a signature of an an AppImage and to determine whether an AppImage has been compromised, an external tool needs to be used. There is a very simple tool called validate that can do this.

$ chmod a+x ./validate
$ ./validate ./XChat_IRC-x86_64.AppImage

gpg: Signature made Sun 25 Sep 2016 10:41:24 PM CEST using RSA key ID 86C3DFDD
gpg: Good signature from "Testkey" [ultimate]

Signature validation can also be integrated into higher level software such as the optional appimaged daemon and/or AppImageUpdate. For example the appimaged daemon may decide to run applications without a valid signature in a confined sandbox in the future, if the system is set up accordingly.

Todo

It may be desirable to integrate validate functionality into libappimage and into tools like appimagetool, the optional appimaged demon and/or AppImageUpdate.